On July 16th, 2020, the Court of Justice of the European Union (CJEU) handed down its long-awaited “Schrems II” court ruling, in which it invalidated the so-called “Privacy Shield”. This framework allowed the transfer of personal data (commercial, health, HR, etc.) between the European Union (including the European Economic Area – (EEA)) and companies established in the United States that had joined the Privacy Shield scheme, without requiring any additional guarantees for the protection of the rights and freedoms of individuals, as allowed by an adequacy decision.
The CJEU considered that the requirements of US law, especially programmes allowing access by US public authorities, for national security purposes, to transfer personal data towards the US, and results in limitations on the protection of personal data.
What are the consequences of this court ruling?
The decision of the CJEU applies to any transfer to the United States by electronic means that falls within the scope of this legislation, regardless of the tool used for the transfer.
Transfers based on the Privacy Shield are now illegal.
Therefore, can the European Commission’s standard contractual clauses be used for data transfers to the US?
In its Shrems II decision, the CJEU has validated these clauses.
However, for these transfer clauses to be valid, it will depend on the outcome of the assessment, which will take into account the circumstances of the transfers and the additional measures that the company could put in place. After a case-by-case analysis of the circumstances surrounding the transfer, the clauses and additional measures will have to ensure that the US legislation does not compromise the adequate level of protection that the clauses guarantee.
However, in view of the CJEU ruling on US regulation, the contractual clauses do not appear to offer a satisfactory solution for transferring data to the US.
Other guarantee instruments such as Binding Corporate Rules (BCR) could suffer the same fate without adaptation of the US legislation.
The European Data Protection Board is currently trying to determine the type of complementary measures that could be provided in addition to the standard contractual clauses and BCRs to transfer data to third countries.
What tools are used today to transfer data from the EEA to the US?
The only remaining possibility is to carry out data transfers under the derogations provided for in Article 49 of the GDPR (consent, contractual basis, etc.).
It is essential to review the contracts with its processors by signing an addendum in which it shall be mentioned that they store and process your data on a territory other than the United States and which can guarantee adequate protection for the personal data.
Beware that the United Kingdom and Northern Ireland are in the process of leaving the European Union and that the current negotiations seem to show that they will not be part of the EEA. They will be considered, in this case, as third countries.
Please note that the CJUE has not granted any grace period during which companies can continue to transfer data to the US. Therefore, all transfers must stop.
Moreover, on September 10th, 2020, the Irish supervisory authority ordered Facebook to suspend all transfers of data from its European users to the United States (Source: https://www.lesechos.fr/tech-medias/hightech/la-cnil-irlandaise-demande-a-facebook-de-suspendre-ses-transferts-de-donnees-vers-les-etats-unis-1241190).
Facebook (in this case) or any organization that would continue to transfer data from the EU to the US may be subject to an administrative fine of 20 million euros or 4% of total worldwide annual turnover. Beyond the administrative fine, entities may be prohibited from processing personal data, which in some cases may be more restrictive than a fine.
Where to start?
To check whether your organisation is impacted by this decision, here is a list of practical questions you need to answer to comply with the requirements of the GDPR and the CJEU decision:
1) Check all processing activity registered in your record to see if you are transferring personal data to the US:
- Are your subcontractors, partners or third parties established in the USA?
- Where are your servers located? (CRM, website host)?
- Do you use a Cloud?
- Beware of cookies and marketing tools that are often operated by Google, Amazon etc. whose hosting locations are spread around the world (Google has data centres in Europe in particular).
- Special attention: if your record is not up to date, make sure to check if you have any new transfers to the US or new subcontractors.
- Important: if the personal data transferred are anonymised, the GDPR will not apply but if they are only pseudonymised, the GDPR will apply since it is possible to re-identify the data subjects.
2) For each processing activity concerned (transfer to the United States), check the appropriate safeguards for the rights and freedoms of the data subjects:
- If you have not put in place appropriate measures (e.g. contract, data protection agreement or “Data Processing Agreement”), the transfer must be suspended.
- If you have a contract with your sub-contractor, verify the clauses concerning data transfers and amend them if necessary. It should be noted that Art 46.3 allows, with the authorisation of the competent supervisory authority, the possibility of providing appropriate guarantees in the form of sui generis contractual clauses (commercial company) or administrative arrangements (public authority): the primary contract must be reviewed and include clauses respecting the principles, rights and obligations in contractual matters (e.g. civil code, national and international laws) and data protection (GDPR, E-privacy, NIS, etc.).
3) If the transfer is “occasional and non-repetitive” (e.g. a hotel reservation in the United States) it is possible to transfer data in the context of a contract or if the consent of the data subject is given (= derogatory regime of Art. 49).
4) Review the policies and information available to guests and/or employees:
- Make the necessary changes to bring your new situation into line with the information given (e.g. new server locations, new European subcontractor, setting up contracts etc.).
- Inform data subjects (e.g. update your privacy policies and other cookie statements).
Please note that GAFAMs have data centres located within the EU. It would be sensible to suggest that personal data of companies located in the territory of the Union should be kept on the same territory (territoriality clause – ratione loci in contract law).